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METHOD AND COMPUTER READABLE MEDIUM FOR 
SUPPRESSING EXECUTION OF SIGNATURE FILE 
DIRECTIVES DURING A NETWORK EXPLOIT 



TECHNICAL FIELD OF THE INVENTION 

This invention relates to network technologies and, more particularly, to 
method and computer readable medium for suppressing execution of directives of a 
signature file during a network exploit. 

CROSS-REFERENCE TO RELATED APPLICATIONS 

This patent application is related to co-pending U.S. Patent Application, Serial 

No - > entitled "SYSTEM AND METHOD OF DEFINING THE 

SECURITY CONDITION OF A COMPUTER SYSTEM," filed October 31, 2001, 

co-assigned herewith; U.S. Patent Application, Serial No. , entitled 

"SYSTEM AND METHOD OF DEFINING THE SECURITY VULNERABILITIES 
OF A COMPUTER SYSTEM," filed October 31, 2001, co-assigned herewith; U.S. 

Patent Application, Serial No. , entitled "SYSTEM AND METHOD 

OF DEFINING UNAUTHORIZED INTRUSIONS ON A COMPUTER SYSTEM," 
filed October 31, 2001, co-assigned herewith; U.S. Patent Application, Serial No. 

» entitled "NETWORK INTRUSION DETECTION SYSTEM AND 

METHOD," filed October 31, 2001, co-assigned herewith; U.S. Patent Application, 

Serial No. , entitled "NODE, METHOD AND COMPUTER 

READABLE MEDIUM FOR INSERTING AN INTRUSION PREVENTION 
SYSTEM INTO A NETWORK STACK," filed October 31, 2001, co-assigned 

herewith; U.S. Patent Application, Serial No. , entitled "METHOD, 

COMPUTER-READABLE MEDIUM, AND NODE FOR DETECTING EXPLOITS 
BASED ON AN INBOUND SIGNATURE OF THE EXPLOIT AND AN 
OUTBOUND SIGNATURE IN RESPONSE THERETO," filed October 31, 2001, 

co-assigned herewith; U.S. Patent Application, Serial No. , entitled 

"NETWORK, METHOD AND COMPUTER READABLE MEDIUM FOR 
DISTRIBUTED SECURITY UPDATES TO SELECT NODES ON A NETWORK," 



10014010-1 



2 



PATENT APPLICATION 



filed October 31, 2001, co-assigned herewith; U.S. Patent Application, Serial No. 
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NODE FOR A THREE-LAYERED INTRUSION PREVENTION SYSTEM FOR 
DETECTING NETWORK EXPLOITS," filed October 31, 2001, co-assigned 

herewith; U.S. Patent Application, Serial No. , entitled "SYSTEM 

AND METHOD OF AN OS-INTEGRATED INTRUSION DETECTION AND 
ANTI- VIRUS SYSTEM," filed October 31, 2001, co-assigned herewith; U.S. Patent 

Application, Serial No. , entitled "METHOD, NODE AND 

COMPUTER READABLE MEDIUM FOR IDENTIFYING DATA IN A 
NETWORK EXPLOIT," filed October 31, 2001, co-assigned herewith; U.S. Patent 

Application, Serial No. , entitled "NODE, METHOD AND 

COMPUTER READABLE MEDRJM FOR OPTIMIZING PERFORMANCE OF 
SIGNATURE RULE MATCHING IN A NETWORK," filed October 31, 2001, co- 
assigned herewith; U.S. Patent Application, Serial No. , entitled 

"METHOD, NODE AND COMPUTER READABLE MEDRJM FOR 
PERFORMING MULTIPLE SIGNATURE MATCHING IN AN INTRUSION 
PREVENTION SYSTEM," filed October 31, 2001, co-assigned herewith; U.S. Patent 

Application, Serial No. , entitled "USER INTERFACE FOR 

PRESENTING DATA FOR AN INTRUSION PROTECTION SYSTEM," filed 
October 31, 2001, co-assigned herewith; U.S. Patent Application, Serial No. 

, entitled "NODE AND MOBILE DEVICE FOR A MOBILE 

TELECOMMUNICATIONS NETWORK PROVIDING INTRUSION 
DETECTION," filed October 31, 2001, co-assigned herewith; U.S. Patent 
Application, Serial No. , entitled "METHOD AND COMPUTER- 
READABLE MEDRJM FOR INTEGRATING A DECODE ENGINE WITH AN 
INTRUSION DETECTION SYSTEM," filed October 31, 2001, co-assigned 

herewith; U.S. Patent Application, Serial No. , entitled "SYSTEM 

AND METHOD OF GRAPHICALLY DISPLAYING DATA FOR AN INTRUSION 
PROTECTION SYSTEM," filed October 31, 2001, co-assigned herewith; and U.S. 

Patent Application, Serial No. , entitled "SYSTEM AND METHOD 

OF GRAPHICALLY CORRELATING DATA FOR AN INTRUSION 
PROTECTION SYSTEM," filed October 31, 2001, co-assigned herewith. 
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BACKGROUND OF THE INVENTION 

Network-exploit attack tools, such as denial-of-service (DoS) attack utilities, 
are becoming increasing sophisticated and, due to evolving technologies, simple to 
execute. Relatively unsophisticated attackers can arrange, or be involved in, computer 
system compromises directed at one or more targeted facilities. A network system 
attack (also referred to herein as an intrusion) is an unauthorized or malicious use of a 
computer or computer network and may involve hundreds or thousands of 
unprotected, or alternatively compromised, Internet nodes together in a coordinated 
attack on one or more selected targets. 

Network attack tools based on the client/server model have become a 
preferred mechanism for executing network attacks on targeted networks or devices. 
High capacity machines in networks having deficient security are often desired by 
attackers to launch distributed attacks therefrom. University servers typically feature 
high connectivity and capacity but relatively mediocre security. Such networks also 
often have inexperienced or overworked network administrators making them even 
more vulnerable for involvement in network attacks. 

Network-exploit attack tools, comprising hostile attack applications such as 
denial-of-service (DoS) utilities, responsible for transmitting data across a network 
medium will often have a distinctive "signature," or recognizable pattern within the 
transmitted data. The signature may comprise a recognizable sequence of particular 
packets and/or recognizable data that is contained within one or more packets. 
Signature analysis is often performed by a network intrusion prevention system (IPS) 
and may be implemented as a pattern-matching algorithm and may comprise other 
signature recognition capabilities as well as higher-level application monitoring 
utilities. A simple signature analysis algorithm may search for a particular string that 
has been identified as associated with a hostile application. Once the string is 
identified within a network data stream, the one or more packets carrying the string 
may be identified as "hostile," or exploitative, and the IPS may then perform any one 
or more of a number of actions, such as logging the identification of the frame, 
performing a countermeasure, or performing another data archiving or protection 
measure. 
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Intrusion prevention systems (IPS) encompass technology that attempts to 
identify exploits against a computer system or network of computer systems. 
Numerous types of IPSs exist and each are generally classified as either a network- 
based, host-based, or node-based IPS. 

Network-based IPS appliances are typically dedicated systems placed at 
strategic places on a network to examine data packets to determine if they coincide 
with known attack signatures. To compare packets with known attack signatures, 
network-based IPS appliances utilize a mechanism referred to as passive protocol 
analysis to inconspicuously monitor, or "sniff," all traffic on a network and to detect 
low-level events that may be discerned from raw network traffic. Network exploits 
may be detected by identifying patterns or other observable characteristics of network 
frames. Network-based IPS appliances examine the contents of data packets by 
parsing network frames and packets and analyzing individual packets based on the 
protocols used on the network. A network-based IPS appliance inconspicuously 
monitors network traffic inconspicuously, i.e., other network nodes may be, and often 
are, unaware of the presence of the network-based LPS appliance. Passive monitoring 
is normally performed by a network-based IPS appliance by implementation of a 
"promiscuous mode" access of a network interface device. A network interface 
device operating in promiscuous mode copies packets directly from the network 
media, such as a coaxial cable, lOObaseT or other transmission medium, regardless of 
the destination node to which the packet is addressed. Accordingly, there is no simple 
method for transmitting data across the network transmission medium without the 
network-based IPS appliance examining it and thus the network-based IPS appliance 
may capture and analyze all network traffic to which it is exposed. Upon 
identification of a suspicious packet, i.e., a packet that has attributes corresponding to 
a known attack signature monitored for occurrence by the network-based IPS 
appliance, an alert may be generated thereby and transmitted to a management 
module of the IPS so that a networking expert may implement security measures. 
Network-based IPS appliances have the additional advantage of operating in real-time 
and thus can detect an attack as it is occurring. Moreover, a network-based IPS 
appliance is ideal for implementation of a state-based IPS security measure that 
requires accumulation and storage of identified suspicious packets of attacks that may 
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not be identified "atomically," that is by a single network packet. For example, 
transmission control protocol (TCP) synchronization (SYN) flood attacks are not 
identifiable by a single TCP SYN packet but rather are generally identified by 
accumulating a count of TCP SYN packets that exceed a predefined threshold over a 
defined period of time. A network-based IPS appliance is therefore an ideal platform 
for implementing state-based signature detection because the network-based IPS 
appliance may collect all such TCP SYN packets that pass over the local network 
media and thus may properly archive and analyze the frequency of such events. 

However, network-based IPS appliances may often generate a large number of 
"false positives/' i.e., incorrect diagnoses of an attack. False positive diagnoses by 
network-based IPS appliances result, in part, due to errors generated during passive 
analysis of all the network traffic captured by the IPS that may be encrypted and 
formatted in any number of network supported protocols. Content scanning by a 
network-based IPS is not possible on an encrypted link although signature analysis 
based on protocol headers may be performed regardless of whether the link is 
encrypted or not. Additionally, network-based IPS appliances are often ineffective in 
high speed networks. As high speed networks become more commonplace, software- 
based network-based IPS appliances that attempt to sniff all packets on a link will 
become less reliable. Most critically, network-based IPS appliances can not prevent 
attacks unless integrated with, and operated in conjunction with, a firewall protection 
system. 

Host-based IPSs detect intrusions by monitoring application layer data. Host- 
based IPSs employ intelligent agents to continuously review computer audit logs for 
suspicious activity and compare each change in the logs to a library of attack 
signatures or user profiles. Host-based IPSs may also poll key system files and 
executable files for unexpected changes. Host-based IPSs are referred to as such 
because the IPS utilities reside on the system to which they are assigned to protect. 
Host-based IPSs typically employ application-level monitoring techniques that 
examine application logs maintained by various applications. For example, a host- 
based IPS may monitor a database engine that logs failed access attempts and/or 
modifications to system configurations. Alerts may be provided to a management 
node upon identification of events read from the database log that have been 
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identified as suspicious. Host-based IPSs, in general, generate very few false- 
positives. However, host-based IPS such as log-watchers are generally limited to 
identifying intrusions that have already taken place and are also limited to events 
occurring on the single host. Because log-watchers rely on monitoring of application 
logs, any damage resulting from the logged attack will generally have taken place by 
the time the attack has been identified by the IPS. Some host-based IPSs may perform 
intrusion-preventative functions such as 'hooking' or 'intercepting' operating system 
application programming interfaces to facilitate execution of preventative operations 
by an IPS based on application layer activity that appears to be intrusion-related. 
Because an intrusion detected in this manner has already bypassed any lower level 
IPS, a host-based IPS represents a last layer of defense against network exploits. 
However, host-based IPSs are of little use for detecting low-level network events such 
as protocol events. 

Node-based IPSs apply the intrusion detection and/or prevention technology 
on the system being protected. An example of node-based DPS technologies is inline 
intrusion detection. A node-based IPS may be implemented at each node of the 
network that is desired to be protected. Inline IPSs comprise intrusion detection 
technologies embedded in the protocol stack of the protected network node. Because 
the inline IPS is embedded within the protocol stack, both inbound and outbound data 
will pass through, and be subject to monitoring by, the inline IPS. An inline IPS 
overcomes many of the inherent weaknesses of network-based solutions. As 
mentioned hereinabove, network-based solutions are generally ineffective when 
monitoring high-speed networks due to the fact that network-based solutions attempt 
to monitor all network traffic on a given link. Inline intrusion prevention systems, 
however, only monitor traffic directed to the node on which the inline IPS is installed. 
Thus, attack packets can not physically bypass an inline IPS on a targeted machine 
because the packet must pass through the protocol stack of the targeted device. Any 
bypassing of an inline IPS by an attack packet must be done entirely by 'logically' 
bypassing the IPS, i.e., an attack packet that evades an inline IPS must do so in a 
manner that causes the inline IPS to fail to identify, or improperly identify, the attack 
packet. Additionally, inline IPSs provide the hosting node with low-level monitoring 
and detection capabilities similar to that of a network IPS and may provide protocol 
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analysis and signature matching or other low-level monitoring or filtering of host 
traffic. The most significant advantage offered by inline IPS technologies is that 
attacks are detected as they occur. Whereas host-based IPSs determine attacks by 
monitoring system logs, inline intrusion detection involves monitoring network traffic 
and isolating those packets that are determined to be part of an attack against the 
hosting server and thus enabling the inline IPS to actually prevent the attack from 
succeeding. When a packet is determine to be part of an attack, the inline IPS layer 
may discard the packet thus preventing the packet from reaching the upper layer of 
the protocol stack where damage may be caused by the attack packet - an effect that 
essentially creates a local firewall for the server hosting the inline IPS and protecting 
it from threats coming either from an external network, such as the Internet, or from 
within the network. Furthermore, the inline IPS layer may be embedded within the 
protocol stack at a layer where packets have been unencrypted so that the inline IPS is 
effective operating on a network with encrypted links. Additionally, inline IPSs can 
monitor outgoing traffic because both inbound and outbound traffic respectively 
destined to and originating from a server hosting the inline IPS must pass through the 
protocol stack. 

Although the advantages of inline IPS technologies are numerous, there are 
drawbacks to implementing such a system. Inline intrusion detection is generally 
processor intensive and may adversely effect the node's performance hosting the 
detection utility. Additionally, inline IPSs may generate numerous false positive 
attack diagnoses. Furthermore, inline IPSs cannot detect systematic probing of a 
network, such as performed by reconnaissance attack utilities, because only traffic at 
the local server hosting the inline IPS is monitored thereby. 

Each of network-based, host-based and inline-based IPS technologies have 
respective advantages as described above. Ideally, an intrusion prevention system 
will incorporate all of the aforementioned intrusion detection strategies. Additionally/ 
an IPS may comprise one or more event generation mechanisms that report 
identifiable events to one or more management facilities. An event may comprise an 
identifiable series of system or network conditions or it may comprise a single 
identified condition. An IPS may also comprise an analysis mechanism or module 
and may analyze events generated by the one or more event generation mechanisms. 
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A storage module may be included within an IPS for storing data associated with 
intrusion-related events. A countermeasure mechanism may also be included within 
the IPS for executing an action intended to thwart, or negate, a detected exploit. 

Typical IPSs are particularly vulnerable to bandwidth-consumption type 
exploits such as distributed denial of service attacks. These exploits flood the targeted 
system in an effort to consume all available resources and cripple the operating 
system and/or the IPS. Typical bandwidth consumption attacks take the form of a 
distributed coordinated attack from many machines that direct the attack at a single 
targeted node. Even an IPS that may recognize the attack is often unable to defend 
the targeted system against such an attack as the attacker can simply increase the 
number of systems included in the distributed attack until the amount of processing 
required by the targeted system for managing intrusion-related event processing 
overwhelms the node. 

SUMMARY OF THE INVENTION 

In accordance with an embodiment of the present invention, a method of 
analyzing frames at a node of a network by an intrusion prevention system executed 
by the node comprising reading a frame by the intrusion prevention system, 
comparing the frame with a machine-readable signature file, determining the frame 
has a frame signature that corresponds with the machine-readable signature file, and 
determining the machine-readable signature file has an associated squelch comprising 
a squelch threshold and a squelch period is provided. 

In accordance with another embodiment of the present invention, a computer- 
readable medium having stored thereon a set of instructions to be executed, the set of 
instructions that, when executed by a processor, cause the processor to perform a 
computer method of reading a frame, comparing the frame with a machine-readable 
signature file, determining the frame has a frame signature that corresponds with the 
machine-readable signature file, and determining the machine-readable signature file 
has an associated squelch comprising a squelch threshold and a squelch period is 
provided. 
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BRIEF DESCRIPTION OF THE DRAWINGS 

For a more complete understanding of the present invention, the objects and 
advantages thereof, reference is now made to the following descriptions taken in 
connection with the accompanying drawings in which: 

FIGURE 1 illustrates an exemplary arrangement for executing a computer 
system compromise according to the prior art; 

FIGURE 2 illustrates a comprehensive intrusion prevention system employing 
network-based and hybrid host-based and node based intrusion detection technologies 
according to an embodiment of the invention; 

FIGURE 3 is an exemplary network protocol stack according to the prior art; 

FIGURE 4 illustrates a network node that may run an instance of an intrusion 
protection system application according to an embodiment of the present invention; 

FIGURE 5 illustrates an exemplary network node that may operate as a 
management node within a network protected by the intrusion protection system 
according to an embodiment of the present invention; 

FIGURE 6 illustrates an exemplary protocol stack having an intrusion 
prevention system inserted therein and in which a signature analysis process 
according to an embodiment of the present invention may be employed; and 

FIGURE 7 is a flowchart of a signature analysis procedure according to an 
embodiment of the present invention. 

DETAILED DESCRIPTION OF THE DRAWINGS 

The preferred embodiment of the present invention and its advantages are best 
understood by referring to FIGURES 1 through 7 of the drawings, like numerals being 
used for like and corresponding parts of the various drawings. 

In FIGURE 1, there is illustrated an exemplary arrangement for executing a 
computer system compromise - the illustrated example showing a simplified 
distributed intrusion network 40 arrangement typical of distributed system attacks 
directed at a target machine 30. An attack machine 10 may direct execution of a 
distributed attack by any number of attacker attack agents 20A-20N by one of 
numerous techniques such as remote control by IRC "robot" applications. Attack 
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agents 20A-20N, also referred to as "zombies" and "attack agents," are generally 
computers that are available for public use or that have been compromised such that a 
distributed attack may be launched upon command of an attack machine 10. 
Numerous types of distributed attacks may be launched against a target machine 30. 
The target machine 30 may suffer extensive damage from simultaneous attack by 
attack agents 20A-20N and the attack agents 20A-20N may be damaged from the 
client attack application as well. A distributed intrusion network may comprise an 
additional layer of machines involved in an attack intermediate the attack machine 10 
and attack agents 20A-20N. These intermediate machines are commonly referred to 
as "handlers" and each handler may control one or more attack agents 20A-20N. The 
arrangement shown for executing a computer system compromise is illustrative only 
and may compromise numerous arrangements that are as simple as a single attack 
machine 10 attacking a target machine 30 by, for example, sending malicious probe 
packets or other data intended to compromise target machine 30. Target machine may 
be, and often is, connected to a larger network and access thereto by attack machine 
10 may cause damage to a large collection of computer systems commonly located 
within the network. 

In FIGURE 2, there is illustrated a comprehensive intrusion prevention system 
employing network-based and hybrid host-based/node-based intrusion detection 
technologies according to an embodiment of the invention. One or more networks 
100 may interface with the Internet 50 via a router 45 or other device. In the 
illustrative example, network 100 comprises two Ethernet networks 55 and 56. 
Ethernet network 55 comprises a web-content server 270A and a file transport 
protocol- content server 270B. Ethernet network 56 comprises a domain name server 
270C, a mail server 270D, a database sever 270E and a file server 270F. A 
firewall/proxy router 60 disposed intermediate Ethernets 55 and 56 provides security 
and address resolution to the various systems of network 56. A network-based IPS 
appliance 80 and 81 is respectively implemented on both sides of firewall/proxy 
router 60 to facilitate monitoring of attempted attacks against one or more elements of 
Ethernets 55 and 56 and to facilitate recording successful attacks that successfully 
penetrate firewall/proxy router 60. Network-based IPS appliances 80 and 81 may 
respectively comprise (or alternatively be connected to) a database 80A and 81 A of 
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known attack signatures, or rules, against which network frames captured thereby 
may be compared. Alternatively, a single database (not shown) may be centrally 
located within network 100 and may be accessed by network-based IPS appliances 80 
and 81. Accordingly, network-based IPS appliance 80 may monitor all packets 
inbound from Internet 50 to network 100 arriving at Ethernet network 55. Similarly, a 
network-based IPS appliance 81 may monitor and compare all packets passed by 
firewall/proxy router 60 for delivery to Ethernet network 56. An IPS management 
node 85 may also be part of network 100 to facilitate configuration and management 
of the IPS components in network 100. 

In view of the above-noted deficiencies of network-based intrusion prevention 
systems, a hybrid host-based and node-based intrusion prevention system is 
preferably implemented within each of the various nodes, such as servers 270A-270N 
(also referred to herein as "nodes"), of Ethernet networks 55 and 56 in the secured 
network 100. Management node 85 may receive alerts from respective nodes within 
network 100 upon detection of an intrusion event by any one of the network-based 
IPS appliances 80 and 81 as well as any of the nodes of network 100 having a hybrid 
agent-based and node-based IPS implemented thereon. Additionally, each node 
270A-270F may respectively employ a local file system for archiving intrusion- 
related events, generating intrusion-related reports, and storing signature files against 
which local network frames and/or packets are examined. 

Preferably, network-based IPS appliances 80 and 81 are dedicated entities for 
monitoring network traffic on associated Ethernets 55 and 56 of network 100. To 
facilitate intrusion detection in high speed networks, network-based IPS appliances 80 
and 81 preferably comprise a large capture RAM for capturing packets as they arrive 
on respective Ethernet networks 55 and 56. Additionally, it is preferable that 
network-based IPS appliances 80 and 81 respectively comprise hardware-based filters 
for filtering network traffic, although IPS filtering by network-based IPS appliances 
80 and 81 maybe implemented in software. Moreover, network-based IPS appliances 
80 and 81 may be configured, for example by demand of IPS management node 85, to 
monitor one or more specific devices rather than all devices on a common network. 
For example, network-based IPS appliance 80 may be directed to monitor only 
network data traffic addressed to web server 270A. 
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Hybrid host-based/node-based intrusion prevention system technologies may 
be implemented on all nodes 270A-270N on Ethernet networks 55 and 56 that may be 
targeted by a network attack. In general, each node is comprised of a reprogrammable 
computer having a central processing unit (CPU), a memory module operable to store 
machine-readable code that is retrievable and executable by the CPU, and may further 
comprise various peripheral devices, such as a display monitor, a keyboard, a mouse 
or another device, connected thereto. A storage media, such as a magnetic disc, an 
optical disc or another component operable to store data, may be connected to 
memory module and accessible thereby and may provide one or more databases for 
archiving local intrusion events and intrusion event reports. An operating system may 
be loaded into memory module, for example upon bootup of the respective node, and 
comprises an instance of a protocol stack as well as various low-level software 
modules required for tasks such as interfacing to peripheral hardware, scheduling of 
tasks, allocation of storage as well as other system tasks. Each node protected by the 
hybrid host-based and node-based IPS of the present invention accordingly has an IPS 
software application maintained within the node, such as in a magnetic hard disc, that 
is retrievable by the operating system and executable by the central processing unit. 
Additionally, each node executing an instance of the IPS application has a local 
database from which signature descriptions of documented attacks may be fetched 
from storage and compared with a packet or frame of data to detect a correspondence 
therebetween. Detection of a correspondence between a packet or frame at an IDS 
server may result in execution of any one or more of various security procedures. 

The IPS described with reference to FIGURE 2 may be implemented on any 
number of platforms. Each hybrid host-based/node-based instance of the IPS 
application described herein is preferably implemented on a network node, such as 
web server 270A operated under control of an operating system, such as Windows NT 
4.0 that is stored in a main memory and running on a central processing unit, and 
attempts to detect attacks targeted at the hosting node. The particular network 100 
illustrated in FIGURE 2 is exemplary only and may comprise any number of network 
nodes, such as network servers or computers. Corporate, and other large scale, 
networks may typically comprise numerous individual systems providing similar 
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services. For example, a corporate network may comprise hundreds of individual web 
servers, mail servers, FTP servers and other systems providing common data services. 

Each operating system of a node incorporating an instance of an IPS 
application additionally comprises a network protocol stack 90, as illustrated in 
FIGURE 3, that defines the entry point for frames received by a targeted node from 
the network, e.g. the Internet or Intranet. Network stack 90 as illustrated is 
representative of the well-known WindowsNT (TM) system network protocol stack 
and is so chosen to facilitate discussion and understanding of the invention. However, 
it should be understood that the invention is not limited to a specific implementation 
of the illustrated network stack 90 but, rather, stack 90 is described to facilitate 
understanding of the invention. Network stack 90 comprises a transport driver 
interface (TDI) 125, a transport driver 130, a protocol driver 135 and a media access 
control (MAC) driver 145 that interfaces with the physical media 101. Transport 
driver interface 125 functions to interface the transport driver 130 with higher-level 
file system drivers. Accordingly, TDI 125 enables operating system drivers, such as 
network redirectors, to activate a session, or bind, with the appropriate protocol driver 
135. Accordingly, a redirector can access the appropriate protocol, for example UDP, 
TCP, NetBEUI or other network or transport layer protocol, thereby making the 
redirector protocol-independent. The protocol driver 135 creates data packets that are 
sent from the computer hosting the network protocol stack 90 to another computer or 
device on the network or another network via the physical media 101. Typical 
protocols supported by an NT network protocol stack comprise NetBEUI, TCP/IP, 
NWLink, Data Link Control (DLC) and AppleTalk although other transport and/or 
network protocols may be supported. MAC driver 145, for example an Ethernet 
driver, a token ring driver or other networking driver, provides appropriate formatting 
and interfacing with the physical media 101 such as a coaxial cable or another 
transmission medium. 

The capabilities of the host-based IPS comprise application monitoring of: file 
system events; registry access; successful security events; failed security events and 
suspicious process monitoring. Network access applications, such as Microsoft IIS 
and SQL Server, may also have processes related thereto monitored. 
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Intrusions may be prevented on a particular IPS host by implementation of 
inline, node-based monitoring technologies. The inline-IPS is preferably included as 
part of a hybrid host-based/node-based IPS although it may be implemented 
independently of any host-based IPS system. The inline-IPS will analyze packets 
received at the hosting node and perform signature analysis thereof against a database 
of known signatures by network layer filtering. 

In FIGURE 4, there is illustrated a network node 270 that may run an instance 
of an IPS application 91 and thus operate as an EPS server. IPS application 91 may be 
implemented as a three-layered IPS, as described in co-pending application entitled 
"Method, Computer Readable Medium, and Node for a Three-Layered Intrusion 
Prevention System for Detecting Network Exploits" and filed concurrently herewith, 
and may comprise a server application and/or a client application. Network node 270, 
in general, comprises a central processing unit (CPU) 272 and a memory module 274 
operable to store machine-readable code that is retrievable and executable by CPU 
272 via a bus (not shown). A storage media 276, such as a magnetic disc, an optical 
disc or another component operable to store data, may be connected to memory 
module 274 and accessible thereby by the bus as well. An operating system 275 may 
be loaded into memory module 274, for example upon bootup of node 270, and 
comprises an instance of protocol stack 90 and may have an intrusion prevention 
system application 91 loaded from storage media 276. One or more network exploit 
rules, an exemplary form described in co-pending application entitled "Method, Node 
and Computer Readable Medium for Identifying Data in a Network Exploit" and filed 
concurrently herewith, may be compiled into a machine-readable signature(s) and 
stored within a database 277 that is loadable into memory module 274 and may be 
retrieved by IPS application 91 for facilitating analysis of network frames and/or 
packets. 

In FIGURE 5, there is illustrated an exemplary network node that may operate 
as a management node 85 of the IPS of a network 100. Management node 85, in 
general, comprises a CPU 272 and a memory module 274 operable to store machine- 
readable code that is retrievable and executable by CPU 272 via a bus (not shown). A 
storage media 276, such as a magnetic disc, an optical disc or another component 
operable to store data, may be connected to memory module 274 and accessible 
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thereby by the bus as well. An operating system 275 may be loaded into memory 
module 274, for example upon bootup of node 85 , and comprises an instance of 
protocol stack 90. Operating system 275 is operable to fetch an IPS management 
application 279 from storage media 276 and load management application 279 into 
memory module 274 where it may be executed by CPU 272. Node 85 preferably has 
an input device 281, such as a keyboard, and an output device 282, such as a monitor, 
connected thereto. 

An operator of management node 85 may input one or more text-files 277A- 
277N via input device 281. Each text-file 277A-277N may define a network-based 
exploit and comprise a logical description of an attack signature as well as IPS 
directives to execute upon an IPS evaluation of an intrusion-related event associated 
with the described attack signature. Each text file 277A-277N may be stored in a 
database 278A on storage media 276 and compiled by a compiler 280 into a 
respective machine-readable signature file 281A-281N that is stored in a database 
278B. Each of the machine-readable signature files 281A-281N comprises binary 
logic representative of the attack signature as described in the respectively associated 
text-file 277A-277N. An operator of management node 85 may periodically direct 
management node 85, through interaction with a client application of IPS application 
279 via input device 281, to transmit one or more machine-readable signature files 
(also generally referred to herein as "signature files") stored in database 278B to a 
node, or a plurality of nodes, in network 100. Alternatively, signature files 28 1A- 
28 IN may be stored on a computer-readable medium, such as a compact disk, 
magnetic floppy disk or another portable storage device, and installed on node 270 of 
network 100. Application 279 is preferably operable to transmit all such signature- 
files 281A-281N, or one or more subsets thereof, to a node, or a plurality of nodes, in 
network 100. Preferably, IPS application 279 provides a graphical user interface on 
output device 282 for facilitating input of commands thereto by an operator of node 
85. 

In FIGURE 6, there is illustrated an exemplary protocol stack 90A having an 
intrusion protection system inserted therein and in which a signature analysis process 
of the present invention may be employed. Network stack 90A comprises TDI 125, a 
transport driver 130, a protocol driver 135 and a media access control (MAC) driver 
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145 that interfaces with the physical media 101. Transport driver interface 125 
functions to interface the transport driver 130 with higher-level file system drivers and 
enables operating system drivers to bind with an appropriate protocol driver 135. 
Protocol driver 135 creates data packets that are sent from the computer hosting 
network protocol stack 90A to another computer or device on the network or another 
network via physical media 101. MAC driver 145 provides appropriate formatting 
and interfacing with the physical media 101. Network stack 90A additionally may 
comprise a dynamically linked library 115 that allows a plurality of subroutines to be 
accessed by applications 105, comprising an IPS server, at application layer 112 of 
network stack 90A and facilitates linking with other applications thereby. 
Dynamically linked library 115 may alternatively be omitted and the functionality 
thereof may be incorporated into the operating system kernel as is understood in the 
art. 

An intrusion prevention system network filter service provider 140 is installed 
above the physical media driver 145, such as an Ethernet driver, token ring driver, 
etc., and bound thereto. Intrusion prevention system network filter service provider 
140 is preferably bound to protocol driver 135 as well. Thus, all machine-readable 
signature files maintained in database 277 may thereby be validated against incoming 
and outgoing frames. IPS network filter service provider 140 provides low level- 
filtering to facilitate suppression of network attacks comprising, but not limited to, 
"atomic" network attacks, network protocol level attacks, IP port filtering, and also 
serves to facilitate collection of network statistics. Accordingly, by implementing a 
filter service provider 140 of the EPS at the network layer of network stack 90A, the 
IPS observes identical data that the network stack processes and is able to suppress 
inbound and/or outbound data at the network layer. Accordingly, filter service 
provider 140 may evaluate execution of IPS services based on processing behavior of 
the network stack. 

A common attack technique for circumventing an IPS involves intentionally 
launching a series of attack packets at a node that each violate a signature file thereof 
in order to cause the IPS to generate a series of intrusion-report frames or to cause the 
IPS to execute any number of processor-intensive countermeasures such that the IPS 
may become overloaded and disabled - an attack technique commonly referred to as a 
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bandwidth consumption attack. For example, as an IPS network filter service 
provider 140 detects an intrusion-related event, for example a correspondence 
between a network frame analyzed thereby and a signature file, such as one or more 
signature files 281A-281N stored in database 277, a report frame may be generated by 
IPS network filter service provider 140 and passed to an DPS server running at 
application layer 112 where it may be analyzed, archived, used in generation of an 
intrusion report, used to trigger a countermeasure or to activate another security 
measure. Generation of a report frame, and subsequent processes resulting therefrom, 
consume processor resources at the node running the IP S. IPS applications of the 
prior art will generate a report and transmit the report to management node 85 or to a 
local archive each instance a network-exploit rule is violated in prior art IPSs. As 
described, an attacker is often able to take advantage of the report generation 
mechanisms implemented to facilitate disablement of a prior art IPS. The attacker 
may then commence any number of attacks on the targeted node. 

According to the present invention, signature files generated from network 
exploit rules may be analyzed in real-time and are configured with a suppression 
count and suppression interval to avoid the overhead of logging network-exploit 
events when the system is being rapidly attacked and system resources are limited. 
FIGURE 7 shows a flowchart of a signature analysis procedure according to an 
embodiment of the invention. A squelch routine may be implemented in IPS 
application 91. The squelch routine processing illustrated by the flowchart of 
FIGURE 7 facilitates a reduction of false-positive reports and exploit-event report 
generation that may otherwise be used to disable an IPS in a bandwidth-consumption 
exploit. As described hereinabove, one or more IPS directives may be included in a 
given signature file that logically defines an action the IPS is to perform upon 
detection of an intrusion event related to the signature file. A squelch is preferably 
defined in a signature file and comprises a squelch period and a squelch threshold. A 
frame counter is maintained by the node running the signature analysis process of the 
invention and may be incremented each time a signature rule is violated, that is each 
time an analyzed frame or packet is detected as having a signature corresponding to a 
machine-readable signature file 281A-281N. Event logging and other management 
procedures or directives defined in the signature file, such as generation of exploit- 
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event reports by the targeted node and transmission of the exploit-event reports to 
management node 85, that are to be performed by the IPS upon detection of an 
intrusion-event, or signature violation, may be suspended when the frame counter 
exceeds a specified squelch threshold during a predefined time interval or squelch 
period. The squelch may be generically designated such that violation of any rule of 
all signatures recognizable by the IPS results in an increment of the frame counter. 
Alternatively, each signature file may have an individually designated squelch 
threshold and squelch period assigned thereto. 

While the signature analysis process of FIGURE 7 is described with reference 
to frame signature analysis, it is understood that packet signature analysis may be 
substituted therefor. The signature analysis process of the invention begins when a 
frame is read by the IPS (step 151). A signature file may be processed by the IPS and 
an evaluation of whether the signature file is enabled is made (step 152). If the 
signature file is disabled, an exemplary technique thereof described in co-pending 
application entitled "Node, Method and Computer Readable Medium for Optimizing 
Performance of Signature Rule Matching in a Network" and filed concurrently 
herewith, the signature analysis process returns to await reading of the next frame. 
Upon evaluation that the signature file is enabled, a determination of violation of the 
signature file is made, i.e., an evaluation of a correspondence between the frame read 
and a signature file is performed by, for example, a pattern matching algorithm or 
another signature comparison technique (step 153). Upon confirmation that an active 
signature file has been violated, an analysis of the signature file is made to determine 
whether the signature file has an enabled squelch associated therewith (step 154). 
Evaluation of a non-enabled squelch results in execution of the directives of the 
signature file (step 155) and the signature analysis process returns to await reading of 
the next frame. An affirmative evaluation of an enabled squelch of an active 
signature file results in analysis of the defined squelch period to determine whether 
the squelch period has elapsed (step 156). A new squelch period is initiated if the 
squelch period has elapsed since the previous identification of a frame identified as 
matching the signature file (step 158). However, if the squelch period has not 
elapsed, an analysis is made to determine whether the squelch threshold has been 
exceeded by the frame counter that increments each time a given signature file is 
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violated by an analyzed signature of a read frame. The signature file directive(s) is 
executed in the event the squelch threshold has not been exceeded by the frame 
counter (step 155). Confirmation of an exceeded squelch threshold results in 
suppression, that is rejection, of execution of one or more signature file directives 
such as transmission of an exploit-report frame and/or rejection of another processor- 
intensive security measures such as logging of the exploit frame (step 159) such that a 
reduction in the amount of intrusion-related event logging is achieved without 
compromising the security policies of IPS 91, that is IPS 91 may continue to filter for 
intrusion-related packets and/or frames while reducing processor overhead that would 
otherwise be required by execution of directives such as logging of intrusion-related 
data. The frame counter is incremented (step 160) in either case that the squelch 
period has elapsed or not (step 160) in order to record the occurrence of the 
correspondence between the read frame and the signature file. The signature analysis 
routine then evaluates whether more signature files remain (step 162), such as in 
database 277, for comparison with the read frame, and the process is returned, upon 
an affirmative evaluation, to determine whether the remaining signature files are 
active (step 152). If no signature files remain for comparison with the read frame, the 
process returns to wait for reading of the next frame. Accordingly, once the 
suppression count has been reached, exploit reports, or execution of other signature 
file directives, generated by the attacked node may be suppressed so that an overflow 
of event notifications is prevented from consuming system resources. 

The signature analysis process described may be implemented in machine- 
readable code and may be executed by any node of network 100 having a processor 
operable to read and execute the machine-readable code. The machine-readable code 
comprising logic for causing the signature analysis process to be performed by a 
processor may be delivered electronically thereto or may be carried on a computer 
readable medium such as magnetic disc, optical disc or another medium suitable for 
storage and delivery of machine-readable instruction sets. 



